Businesses and consumers are increasingly turning to the Internet to communicate, survey, and transact business among themselves and with each other. The size, volume and complexity of these communications and transactions has been steadily increasing as the Internet has become, over the years, an increasingly accepted medium for use by businesses and consumers. In particular, the Internet facilitates various types of electronic communications between computers linked thereto, and specifically, the users associated therewith.
Electronic communications have dramatically changed the ways in which people communicate. Electronic mail, commonly referred to as e-mail, is a widely used form of electronic communication. E-mail is the exchange of computer-stored messages by telecommunication, over a network, such as the Internet. E-mail accounts for the largest percentage of total traffic on the Internet. E-mail usage is expected to increase exponentially in the next few years as increasing numbers of people have access to computers, and therefore, the World Wide Web (WWW).
E-mail communications are desirable, as they are current, usually in real time, and are non-intrusive. Conversely, a telephone call is intrusive, as it must be attended to at the moment it is received, and may interfere with the recipient's activities. The e-mail recipient may open the e-mail when desired, and may delete the e-mail without reading it.
E-mail distribution to individuals and organizations is quick and economical. Senders create recipient lists, that may include thousands of recipients. Recipient e-mail addresses can be added and deleted from the lists as desired. The e-mail is composed once and sent to multitudes of recipients, all of whom receive the e-mail instantaneously. The e-mail can be duplicated and sent to recipients from another recipient list, typically in the matter of minutes.
Identity theft and related fraud have also grown with the seeming ubiquity of the Internet as a convenient communications medium. A U.S. Federal Trade Commission study, focusing only on identity theft, estimates that nearly 10 million adult citizens were victims of identity theft in the U.S. in 2003, resulting in business losses of over $47 billion and consumer losses of about $5 billion. Synovate, Federal Trade Commission: Identity Theft Survey Report at Page 7, Table 2 (September 2003). In general and aside from the specific issue of identity theft, businesses increasingly prefer to protect their customer data or are regulated by law, depending on the industry, in how they may share personally identifiable information from their customers with third parties.
Businesses have sought to address the preference or obligation to secure confidentiality of their customer data, in whole or in part, through a variety of methods. For example, people and businesses regularly use one or more of the following security measures to try protecting electronic data they consider sensitive. Password protection may be used to permit access to or retrieval of sensitive data. Data may be destroyed periodically, or it may be centralized at a location secured both physically and electronically. These technologies tend to trade-off effectiveness for utility. That is, the tendency is that the more effective a protection regime is, the greater the transaction costs of accessing the data and the less the data tends to be utilized. The easier it is to access data, for example through weak encryption or standardized and infrequently changed password access, the more the data may be utilized but the greater the risk of its theft or misuse.
In addition, traditional encryption technology applied to a database generally works with a single decryption key, which is reasonable in a two party relationship where one party hosts the database and encrypts the data (and perhaps utilizes it), while the other party deposits and retrieves the data for utilization. However, such technology tends to be ineffective in securing a database to which multiple parties deposit and retrieve encrypted data. Since there is only one decryption key to the entire database, the multiple parties will each have access to all the contents of the database, not just the data which they store in the database. To work around this shortcoming, it is possible to set up different databases for each customer. This solution, however, is more costly and inefficient than having a single database with multiple decryption keys, each one of which is unique to each customer with access to the database.